diff options
| author | Michael Merickel <michael@merickel.org> | 2014-02-21 21:53:09 -0600 |
|---|---|---|
| committer | Michael Merickel <michael@merickel.org> | 2014-02-21 21:53:09 -0600 |
| commit | b2c23953cc5142238879e0075c065f31a268a770 (patch) | |
| tree | 438052c52587fbd0f99612a5ecc3514cb6364914 | |
| parent | 3c87ad81b0e846e7d61f86f8a5a6aff6ec3a2b9e (diff) | |
| parent | adcacf48dbf6eb84a1c1661918f3fb093a929bc2 (diff) | |
| download | pyramid-b2c23953cc5142238879e0075c065f31a268a770.tar.gz pyramid-b2c23953cc5142238879e0075c065f31a268a770.tar.bz2 pyramid-b2c23953cc5142238879e0075c065f31a268a770.zip | |
Merge branch 'fix.1246' into 1.5-branch
| -rw-r--r-- | CHANGES.txt | 3 | ||||
| -rw-r--r-- | pyramid/session.py | 6 | ||||
| -rw-r--r-- | pyramid/tests/test_session.py | 14 |
3 files changed, 20 insertions, 3 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 84d0694e3..6372c904d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,9 @@ Unreleased - Avoid crash in ``pserve --reload`` under Py3k, when iterating over posiibly mutated ``sys.modules``. +- ``UnencryptedCookieSessionFactoryConfig`` failed if the secret contained + higher order characters. See https://github.com/Pylons/pyramid/issues/1246 + 1.5b1 (2014-02-08) ================== diff --git a/pyramid/session.py b/pyramid/session.py index 3a045b91b..d1964c43e 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -57,7 +57,7 @@ def signed_serialize(data, secret): response.set_cookie('signed_cookie', cookieval) """ pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest() + sig = hmac.new(bytes_(secret, 'utf-8'), pickled, hashlib.sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) def signed_deserialize(serialized, secret, hmac=hmac): @@ -81,7 +81,9 @@ def signed_deserialize(serialized, secret, hmac=hmac): # Badly formed data can make base64 die raise ValueError('Badly formed base64 data: %s' % e) - sig = bytes_(hmac.new(bytes_(secret), pickled, hashlib.sha1).hexdigest()) + sig = bytes_(hmac.new( + bytes_(secret, 'utf-8'), pickled, hashlib.sha1, + ).hexdigest()) # Avoid timing attacks (see # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py index 1ad0729b3..6bce764ca 100644 --- a/pyramid/tests/test_session.py +++ b/pyramid/tests/test_session.py @@ -519,7 +519,7 @@ def serialize(data, secret): from pyramid.compat import native_ from pyramid.compat import pickle pickled = pickle.dumps(data, pickle.HIGHEST_PROTOCOL) - sig = hmac.new(bytes_(secret), pickled, sha1).hexdigest() + sig = hmac.new(bytes_(secret, 'utf-8'), pickled, sha1).hexdigest() return sig + native_(base64.b64encode(pickled)) class Test_signed_serialize(unittest.TestCase): @@ -531,6 +531,12 @@ class Test_signed_serialize(unittest.TestCase): expected = serialize('123', 'secret') result = self._callFUT('123', 'secret') self.assertEqual(result, expected) + + def test_it_with_highorder_secret(self): + secret = b'La Pe\xc3\xb1a'.decode('utf-8') + expected = serialize('123', secret) + result = self._callFUT('123', secret) + self.assertEqual(result, expected) class Test_signed_deserialize(unittest.TestCase): def _callFUT(self, serialized, secret, hmac=None): @@ -562,6 +568,12 @@ class Test_signed_deserialize(unittest.TestCase): serialized = 'bad' + serialize('123', 'secret') self.assertRaises(ValueError, self._callFUT, serialized, 'secret') + def test_it_with_highorder_secret(self): + secret = b'La Pe\xc3\xb1a'.decode('utf-8') + serialized = serialize('123', secret) + result = self._callFUT(serialized, secret) + self.assertEqual(result, '123') + class Test_check_csrf_token(unittest.TestCase): def _callFUT(self, *args, **kwargs): from ..session import check_csrf_token |